New cyber coordinator also serves too many masters, expert says

U.S. President Barack Obama's new cybersecurity report is short on details and creates a federal coordinator position that may have limited power, some cybersecurity experts said Monday.

The new cybersecurity coordinator will report both to the U.S. National Security Council and the National Economic Council, raising concerns that whoever Obama names will have split priorities, said Stewart Baker, a partner in the Steptoe & Johnson law firm and a former assistant director for policy in the U.S. Department of Homeland Security.

"That is not an indication that this office will be given large amounts of authority," said Baker, who served at DHS during former President George Bush's administration.

While many initial reactions to the release of the Obama administration report were positive, speakers at a Congressional Internet Caucus event Monday raised some concerns, particularly that the report is short on details.

The report, released Friday, calls for the U.S. government to develop a national cybersecurity strategy in addition to the appointment of a federal cybersecurity coordinator. Obama also said cybersecurity would become a key management priority at the White House, and the report recommends a new cybersecurity incident response plan that involves both the U.S. government and the private sector.

Several panelists praised Obama for focusing presidential attention on a growing cybersecurity problem. "I practically wept with joy when the president said that cybersecurity would be a strategic national asset," said James Lewis, senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies, a Washington, D.C., think tank.

While the goals in the report are worthwhile, it took the Obama administration longer than promised to deliver it, he said. While the report and accompanying Obama speech were "really strong," the Obama administration will have to develop metrics to measure cybersecurity success and will have to prove it's doing more than Bush's administration did, Lewis said.

Lewis and other panelists pointed out that this is the fourth major presidential announcement on cybersecurity in the past dozen years, with former plans meeting limited success. Bush's national cybersecurity plan, released in 2003, received attention for about six months, and "then it sat on a shelf," said Marcus Sachs, executive director of government affairs for national security policy at Verizon. "It was no longer a priority."

Still, Sachs and Robert Holleyman, president and CEO of the Business Software Alliance, praised Obama for moving the cybersecurity debate forward. "The nature of the threat is growing so substantially that it was important to undertake this review," Holleyman said.

The Obama plan seems headed in the right direction, added Gregory Nojeim, senior counsel at the Center for Democracy and Technology. Friday's report stresses that cybersecurity must not infringe on U.S. residents' privacy, and it recommends the cybersecurity coordinator's office includes a chief privacy officer.

"They seem to be interested in having privacy baked into the solution," Nojeim.

Baker and other panelists said the new coordinator's position will be difficult as the coordinator will have to rein in cybersecurity efforts at multiple agencies and work with the private sector as well. With such a wide area of responsibility, the first coordinator could easily fail, Baker said.

But with growing reports of sophisticated cybersecurity breaches, the U.S. government needs to take action, Baker added. "This could not be more urgent," he said. "We have to do something, and we have to do it very quickly."